Thursday, October 15, 2009

Accountability or anonymity or can we have both?

This blog post was prompted from the question "what is important accountability or anonymity when it comes to online activities?" (short answer: it depends :)

Accountability is all about holding an individual accountable for what (s)he does; it's about identification. Anonymity, on the other hand, is about de-identification and the privacy of individuals.

From the PoV of on-going research, I find three main areas under which anonymity is being considered (am I missing any other ones?)

1. Anonymous access to resources
Here the goal is to allow users to access some service or resources anonymously - without revealing their identity. It's mainly about unlinkability - no two transactions can be linked to a single transaction. Bob buys a T-shirt from JC Penny and a denim from Old Navy; he used the same Chase credit card for both transactions. Bob may not want his bank, Chase, to know how he spent his money for privacy reasons - if it works like this, it provides unlinkability for Bob at his bank. However, unlinkability, in this case, may be undesirable due to security reasons; if the transactions cannot be linked to Bob, it would be really hard, if not impossible, to identify fraudulent activities by bad users. If Bob really wants to prevent his bank from knowing how he spent his money, the safest way is to use cash - that's the price Bob needs to pay to remain unlinkable! Note that are many cryptography based e-cash scheme to achieve the same objective.

As you can see, the decision to go anonymous has a cost. The issue is to decide if the benefits weighs higher than the cost. Take another example. You may not like, for example, Marsh or Pay Less, tracking all your transactions - you loose your privacy apparently without any gain for you. What if the loyalty card from Marsh or Pay Less, gives you a discount on most of the items you buy? Most of us (at least graduate students) will go for the loyalty card. The problem here is that there is no way for us to quantify the cost of loosing privacy (shopping history) and further the effect of loosing privacy may not be immediate.

What about online services? Would you be comfortable if a digital library service records all your moves? Think about it; when you go to a public library in your area, you can read whatever books, newspapers, magazines you want and whatever sections you want without being noticed/recorded. Anonymization techniques may come into your rescue and protect your privacy (i.e. your reading habits). But what do you loose for your privacy? If you are not being anonymous (unlinkable), the digital library service may offer you a better service by recommending books, magazines that are closely related to your reading habits. Same goes with online shopping web sites. Another related note, your online access traces could be a valuable source of income for free services such as youtube, hulu, etc.

2. Anonymous publishing
Here I am talking about publishing content without revealing your real identity. Most of the time it is a pseudonym under which one publishes. Publications could be writing a comment, blog post, news article, a paper, posting photos/videos, tweeting, etc. A pseudonym hides your real identity but does not prevent linkability. There are system such as FreeNet, Publius that even make it difficult, in not impossible, to censor what is published; once you publish, no one can take it out. There are good and bad things about anonymous publishing. It is a good thing if some one wants to voice their political opinion or something similar without having to face any repercussions. We make a very important implicit assumption here; the society we live always act good and whatever they do falls under what we perceive as 'acceptable'. It'd be naive to think we can always assume this to be true. We do have bad guys - true - it's only the minority - but this minority could do major damages. A simple example is to defame others hiding behind the screen for personal, political, business etc. advantage. Isn't it a cowardly act? No question about it.

Here's an example about a defamatory blog (in the own words of the victim - let's call him "Joe"):
There is someone who, for complicated psychiatric reasons, developed a severe dislike of me. This is an extraordinarily vindictive and immature girl whom I have NOT wronged in any remotely substantial way. She created an anonymous blog and posted alleging falsely that I'm gay and saying a number of inaccurate and very negative things about my character. (Basically, name-calling.) I'm concerned that this will affect future job prospects since the post appears within the first couple of pages of search results for my name. She confirmed to a mutual friend that she wrote the blog but refused to take it down. Google/blogspot says they don't take down defamatory posts without a court order.

(I am not sure what exactly is legally considered as defamatory. Let's assume it's considered defamatory. What actions can Joe take? IMO, hiring a lawyer for not so grave an incident like this may cost Joe. If he's worried about his online reputation, first thing he should do is to increase the online presence by posting/blogging true facts out, writing about topics of interest, etc. )

Now apply this to a business, corporate level or a popular person or even a major religion. The problem comes when we allow people to freely publish incorrect/falsified information without being accountable. Censor resistant systems makes the problem worse.

3. Data anonymization of statistical analysis
Here we talk about modifying existing records such that sensitive/private information about individuals cannot be inferred from the published data. For example, Alice is doing a survey of cancer patients in Indiana. A good source for her survey is medical records and patient information in the hospitals in Indiana. However, hospitals may not be willing to give Alice row data as it would violate patient privacy (and in fact not allowed under law). Since this study could be beneficial (e.g. correlating cancer to location, public facilities, living habits, etc.), hospital can anonymize the data such that Alice cannot link what is provided to her with individual residents of Indiana. In the research literature, there have been many work done in this area; k-anonymity, l-diversity, t-closeness are just to name a few. A key issue here is the trade-off between privacy and utility. The data can be completely anonymized providing the highest level of privacy but without any utility all or the data can be published as it is providing the highest level of utility but without any privacy. On-going research tries to strike a balance between these two parameters - sufficiently protect individually identifiable data and still able to perform statistical analysis. I don't have any problem with this type of anonymization; in fact, this type of anonymization is encouraged before releasing data for studies.

As we all know, if you take any real user base, a vast majority of them are good users and only a few of them are bad users. So whatever solution we provide should be beneficial to the vast majority. Since anonymity helps good users in certain scenarios, should we focus more on anonymity over accountability? There are consequences.

As per the first two types, a bad effect of anonymity is that it may reduce the accountability one perceives to have for their actions. This could be an incentive for good people to turn bad and bad people to worse. My mother used to tell us that too much of any thing is not good. The same applies here. We need to define an 'acceptable' level of freedom of speech and censorship resistance. IMO, there should be a way to identify bad people in anonymous systems while good people continue to remain anonymous.

Another bad side of anonymity is related to trust. We trust a publication that explicitly mentions the authors than an anonymous publication, don't we? Of course, there are other ways to increase the level of trust we place. For example, many people like it, if the author goes under a pseudonym and that pseudonym has a good history of publication, if it backs up the facts with citations or if it is a shared content management system (like wikipedia) and there is less dispute by other users, etc.

Here's another interesting point raised by Sarah Hinchliff Pearson in her blog:
The National Fair Housing Alliance (NFHA) has been fighting a defamation lawsuit brought by a real estate company that was the target of its fair housing testing. (Disclosure: I helped defend NFHA in this litigation at my prior firm.) NFHA conducted months of well-documented fair housing tests and then reported its results to the media. Despite NFHA’s due diligence, it has been subjected to the burden of ongoing litigation. Yet under amici’s proposed standard, it would likely not have faced this burden if it had reported the results anonymously on the Internet. By giving better protection to anonymous speakers, the heightened standard reflects an implicit judgment that anonymous speech should be valued more highly than regular speech. It also produces a perverse incentive for all speakers to withhold their name from reports, comments, and opinions online.

She argues that we should not place a premium on anonymous contributions. I agree with her when the anonymity is related to publishing. Further, anonymous access may not be desirable for access to restricted materials or when there is a legal requirement to audit. However, for routine tasks such as accessing a digital library (any other content that has a economical value but innocuous in nature), echoing your political opinion, it is desirable to have some degree of anonymity.

In conclusion, ideally I would like to see systems where good guys remain anonymous but bad guys are identified. Anonymity in certain cases is a good thing; but there are situations where it could lead to unpleasant consequences - that's where we need some level of accountability. In certain other cases, you may have to pay a price for remaining anonymous. It is likely the issues mentioned in this post will take time and effort to solve. You are more than welcome to provide your thoughts on this.

Update: 12/1/2009
Here's a good article about the dark side of Internet and it is related to the topic discussed above.

No comments: